RE: [Acegisecurity-developer] Instance based security

Thu, 22 Jul 2004 18:45:18 -0700 

I agree with your assessment Ben.  Had many of those thoughts myself as
I was pondering our situation.  In the end we went with VOTERS DETECT
OBJECT AS PARAMETER AND QUERY ACL OBJECT.  Seems like the best choice
for us since we only want to deny or allow access not mutate or filter
properties of the object.

-----------------------------------------
Andres March
Platform - Apps Engineering
Sony Online Entertainment
desk: 858.577.3373
cell:   619.519.1519

> -----Original Message-----
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf
Of
> Ben Alex
> Sent: Thursday, July 22, 2004 5:16 PM
> To: [EMAIL PROTECTED]
> Cc: [EMAIL PROTECTED]
> Subject: [Acegisecurity-developer] Instance based security
> 
> Andy Depue wrote:
> 
> >Has any thought been given to adding instance based security support
to
> Acegi?
> >This seems to be a common requirement.
> >
> >
> There are so many ways of approaching instant-level security, as
touched
> on by the other replies to this thread. The major issues are "where to
> get the domain instance specific ACL information from" and "how to
> change any returned value".
> 
> I've copied this to the RCP list as they probably have some views on
the
> optimal approach, and which they'd like to see demonstrated in
Petclinic
> RCP.
> 
> Here is a quick summary of the main ways to approach instance-level
> security from an Acegi Security perspective:
> 
> BUSINESS METHODS DO SECURITY THEMSELVES. This isn't as bad as it
sounds.
> Business methods can simply access the ContextHolder and obtain the
> Authentication object. That way they can filter etc as they see fit.
> Advantages: simple, no infrastructure required, can change the
returned
> object. Disadvantages: couples business code to Acegi, more difficult
to
> test as there is limited separation of concerns (though you can write
> separate utility classes to help overcome this).
> 
> VOTERS DETECT OBJECT AS PARAMETER AND QUERY EXISTING
> GrantedAuthority[]s. In this case you add custom GrantedAuthority[]s
to
> the Authentication object during the original authentication process.
> Later the voter looks up those authorities and authorizes access to
the
> domain instance accordingly. I'm presently using this approach in the
> Petclinic RCP sample (still being written, yet to be checked in).
> Advantages: simple, easy to test. Disadvantages: not scalable to
> thousands of instances, must customise the AuthenticationProvider (or
> AuthenticationDao if using DaoAuthenticationProvider), cannot change
the
> returned object.
> 
> VOTERS DETECT OBJECT AS PARAMETER AND OPEN ACTUAL INSTANCE. This is
used
> in the Contacts sample application. A voter handles detecting a method
> invocation concerning an identity, opens the domain instance, calls a
> getter to obtain the ACL (access control list) information, and a
> comparison is made to the Authentication object. Advantages: fairly
> simple, easy to test. Disadvantages: opens a domain instance twice (in
> the voter and again in the business method), cannot change the
returned
> object.
> 
> VOTERS DETECT OBJECT AS PARAMETER AND QUERY ACL OBJECT. This would be
a
> variation on the above option, but instead of opening the target
domain
> instance twice, an ACL manager object would be consulted to obtain the
> instance-specific privileges. Advantages: highly decoupled from the
> domain objects, addresses performance issues, simple to test the
parts,
> easily offers ACL inheritance, administration tools have a central
> reference point for all application ACL information. Disadvantages:
> getting complex, cannot change the returned object.
> 
> MethodSecurityInterceptor CALLS A RESULT PROCESSOR. This would be done
> so that a list of classes can routinely be applied against the object
> returned from a method invocation. These classes could do things like
> Andy needs, such as obfuscate properties etc. If we went with the
"voter
> backed with an ACL manager" approach on the way into the method
> invocation, these classes can easily determine which mutations they
> should perform on the returned object. The only requirement would be
the
> classes should not throw an exception, as the business methods have
> already taken place. An issue is how mutated values would affect ORM
if
> they were subsequently re-presented for committing. How do you handle
> this, Andy?
> 
> Comments? Preferences?
> 
> Best regards
> Ben
> 
> 
> 
> -------------------------------------------------------
> This SF.Net email is sponsored by BEA Weblogic Workshop
> FREE Java Enterprise J2EE developer tools!
> Get your free copy of BEA WebLogic Workshop 8.1 today.
> http://ads.osdn.com/?ad_id=4721&alloc_id=10040&op=click
> _______________________________________________
> Acegisecurity-developer mailing list
> [EMAIL PROTECTED]
> https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer




-------------------------------------------------------
This SF.Net email is sponsored by BEA Weblogic Workshop
FREE Java Enterprise J2EE developer tools!
Get your free copy of BEA WebLogic Workshop 8.1 today.
http://ads.osdn.com/?ad_idG21&alloc_id040&op=click
_______________________________________________
Acegisecurity-developer mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer

Reply via email to